The VMware Carbon Black Cloud for Security Operations app automates ticket creation and orchestrates response actions to streamline incident management for security teams.
By integrating Carbon Black Cloud alerts and response actions directly into ServiceNow SecOps, security teams can triage alerts, automatically create security incident tickets, and respond to incidents more quickly without having to manually correlate data between systems. This application delivers full access to endpoint response actions to enable analysts to seamlessly gather context and orchestrate remediation actions all from a single console.
Users should install this app along with the VMware Carbon Black Cloud app to access the full capabilities of this integration, including ingestion of Carbon Black Cloud inventory data to the ServiceNow Configuration Management Database (CMDB) module.
VMware Carbon Black Cloud:
-
The VMware Carbon Black Cloud is a cloud-native endpoint, workload, and container protection platform that combines the intelligent system hardening and behavioral prevention needed to keep emerging threats at bay, using a single, easy-to-use console. By analyzing more than 1 trillion security events per day, VMware Carbon Black Cloud proactively uncovers attackers’ behavior patterns and empowers defenders to detect and stop emerging attacks.
-
https://www.vmware.com/products/carbon-black-cloud-endpoint.html
Dashboard
-
Dashboard for viewing metrics related to alerts, assets, incidents, security incidents and vulnerabilities.
Carbon Black Cloud Alert Ingestion
-
Customizable alert ingestion from Carbon Black Cloud to ServiceNow via the Alerts API or Data Forwarder.
-
Multi-tenancy: domain separation to configure ingestion and isolation of Alerts data from multiple Carbon Black Cloud organizations.
Carbon Black Cloud Asset Inventory Ingestion
-
Creation of ServiceNow Configuration Items based on Carbon Black Cloud endpoints and workloads.
-
Synchronization of asset context from Carbon Black Cloud to the ServiceNow Configuration Management Database (CMDB).
-
Attachment of Carbon Black Cloud Assets to ServiceNow SecOps and VR ticket types.
Streamlined ServiceNow SecOps Security Incident Creation and Lifecycle Management
-
Automated and manual ServiceNow SecOps Security Incident ticket creation based on Carbon Black Cloud Alerts.
-
Customizable field mappings between Carbon Black Cloud Alerts and ServiceNow SecOps Security Incident tickets.
-
Automated, bi-directional updates between Carbon Black Cloud and ServiceNow for alerts, updates, and dismissal.
SOAR Capabilities
-
Built-in context and remediation actions for Security Orchestration, Automation, and Response (SOAR) workflows. Examples include:
-
Quarantine Asset
-
Ban Process Hash
-
Update Asset Policy
-
Get Process Metadata
-
Kill Process
-
MITRE ATT&CK framework visualization of TTP’s from Carbon Black Cloud alerts in ServiceNow Security incident tickets.
-
Automated logging and record keeping of incident response actions in SecOps Security Incident ticket work notes.
Version 3.0.0
-
Major release with updates to core functionality. For details, please visit the VMware Carbon Black Developer Network (https://developer.carbonblack.com/reference/carbon-black-cloud/integrations/).
Support
-
The VMware Carbon Black Cloud app is not covered by the Service Level Agreements (SLAs) for VMware Carbon Black Cloud. VMware may offer support to VMware Carbon Black Cloud customers for this optional ServiceNow integration on a best-effort basis.
-
Customers may be directed to ServiceNow or VMware support for resolution depending on the particular issue experienced.
-
The VMware Carbon Black Cloud app will support only “active” versions of ServiceNow and Carbon Black Cloud, meaning only those versions for which the plugin claims support.
-
Once the compatible versions of ServiceNow and VMware Carbon Black Cloud are out of support, the plugin will cease supporting those application versions. For example, once ServiceNow version 'Quebec’' goes out of support, the VMware Carbon Black Cloud app will also stop supporting ‘Quebec.’
-
VMware takes care to allow your personal information to be accessed only by those who really need access in order to perform their tasks and duties, and to share with third parties who have a legitimate purpose for accessing it. We may share information about you with third parties, such as vendors, consultants, agents, business partners and other service providers who work on our behalf to effectively deliver unified support. Please see VMware’s Privacy Notices for additional information (https://www.vmware.com/help/privacy.html).
Customer Agreement
-
By deploying, installing, or using this software, you agree to be bound by the ServiceNow Store Terms Of Use and Vendor App Subscription Terms and Conditions, both of which are included in the “Supporting Links and Docs” section of this ServiceNow App Store listing. If you do not agree to the terms, you must not deploy, install or use this software.
-
This software on the ServiceNow store is separate from VMware Carbon Black Cloud, but it is designed to be compatible with and to integrate into VMware Carbon Black Cloud. To successfully integrate this software with VMware Carbon Black Cloud, you must have an active subscription to VMware Carbon Black Cloud. The terms and conditions governing the use of VMware Carbon Black Cloud can be found at: https://www.vmware.com/agreements.html.
VMware Carbon Black Cloud
-
Active subscription to Carbon Black Cloud
-
Particular data and actions available may depend on your subscription type
ServiceNow versions
-
Tokyo
-
Utah
-
Vancouver
ServiceNow Plugins
-
VMware Carbon Black Cloud App - Version 3.0.0+
-
Domain Support - Domain Extensions Installer
-
Security Incident Response
-
Threat Intelligence Plugin
-
Integration Hub ETL Plugin